github
diff --git a/‎java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
Lines changed: 7 additions & 5 deletions b/‎java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
Lines changed: 7 additions & 5 deletions
diff --git a/‎java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
Lines changed: 15 additions & 0 deletions b/‎java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
Lines changed: 15 additions & 0 deletions
diff --git a/‎java/ql/src/change-notes/2024-12-17-experimental-queries.md
Lines changed: 4 additions & 0 deletions b/‎java/ql/src/change-notes/2024-12-17-experimental-queries.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
Lines changed: 8 additions & 6 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
Lines changed: 8 additions & 6 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
Lines changed: 5 additions & 4 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
Lines changed: 5 additions & 4 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll
Lines changed: 2 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
Lines changed: 11 additions & 5 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
Lines changed: 11 additions & 5 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
Lines changed: 8 additions & 8 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
Lines changed: 8 additions & 8 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
Lines changed: 12 additions & 6 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
Lines changed: 12 additions & 6 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll
Lines changed: 2 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll
Lines changed: 2 additions & 0 deletions
@@ -104,9 +104,9 @@ private import codeql.mad.ModelValidation as SharedModelVal
  * Extend this class to include experimental model rows with `this` name
  * in data flow analysis.
  */
-abstract class ActiveExperimentalModels extends string {
+abstract private class ActiveExperimentalModelsInternal extends string {
   bindingset[this]
-  ActiveExperimentalModels() { any() }
+  ActiveExperimentalModelsInternal() { any() }
 
   /**
    * Holds if an experimental source model exists for the given parameters.
@@ -142,6 +142,8 @@ abstract class ActiveExperimentalModels extends string {
   }
 }
 
+deprecated class ActiveExperimentalModels = ActiveExperimentalModelsInternal;
+
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string package, string type, boolean subtypes, string name, string signature, string ext,
@@ -151,7 +153,7 @@ predicate sourceModel(
     Extensions::sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance,
       madId)
     or
-    any(ActiveExperimentalModels q)
+    any(ActiveExperimentalModelsInternal q)
         .sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, madId)
   )
 }
@@ -165,7 +167,7 @@ predicate sinkModel(
     Extensions::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance,
       madId)
     or
-    any(ActiveExperimentalModels q)
+    any(ActiveExperimentalModelsInternal q)
         .sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId)
   )
 }
@@ -179,7 +181,7 @@ predicate summaryModel(
     Extensions::summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
       provenance, madId)
     or
-    any(ActiveExperimentalModels q)
+    any(ActiveExperimentalModelsInternal q)
         .summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
           provenance, madId)
   )
 
@@ -34,6 +34,11 @@ extensible predicate neutralModel(
 );
 
 /**
+ * INTERNAL: Do not use.
+ *
+ * DEPRECATED: This predicate is only intended for adding models used by experimental queries.
+ * This predicate will be deleted in the future.
+ *
  * Holds if an experimental source model exists for the given parameters.
  * This is only for experimental queries.
  */
@@ -43,6 +48,11 @@ extensible predicate experimentalSourceModel(
 );
 
 /**
+ * INTERNAL: Do not use.
+ *
+ * DEPRECATED: This predicate is only intended for adding models used by experimental queries.
+ * This predicate will be deleted in the future.
+ *
  * Holds if an experimental sink model exists for the given parameters.
  * This is only for experimental queries.
  */
@@ -52,6 +62,11 @@ extensible predicate experimentalSinkModel(
 );
 
 /**
+ * INTERNAL: Do not use.
+ *
+ * DEPRECATED: This predicate is only intended for adding models used by experimental queries.
+ * This predicate will be deleted in the future.
+ *
  * Holds if an experimental summary model exists for the given parameters.
  * This is only for experimental queries.
  */
 
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).
@@ -111,9 +111,11 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
   )
 }
 
-from SpringBootPom pom, ApplicationProperties ap, Dependency d
-where
-  hasConfidentialEndPointExposed(pom, ap) and
-  d = pom.getADependency() and
-  d.getArtifact().getValue() = "spring-boot-starter-actuator"
-select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+deprecated query predicate problems(Dependency d, string message) {
+  exists(SpringBootPom pom |
+    hasConfidentialEndPointExposed(pom, _) and
+    d = pom.getADependency() and
+    d.getArtifact().getValue() = "spring-boot-starter-actuator"
+  ) and
+  message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+}
@@ -12,8 +12,9 @@
  */
 
 import java
-import SpringBootActuators
+deprecated import SpringBootActuators
 
-from PermitAllCall permitAllCall
-where permitAllCall.permitsSpringBootActuators()
-select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."
+deprecated query predicate problems(PermitAllCall permitAllCall, string message) {
+  permitAllCall.permitsSpringBootActuators() and
+  message = "Unauthenticated access to Spring Boot actuator is allowed."
+}
@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 
 /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
 
@@ -22,7 +22,7 @@ import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.security.Sanitizers
 import Log4jInjectionFlow::PathGraph
 
-private class ActivateModels extends ActiveExperimentalModels {
+deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "log4j-injection" }
 }
 
@@ -52,7 +52,13 @@ module Log4jInjectionConfig implements DataFlow::ConfigSig {
  */
 module Log4jInjectionFlow = TaintTracking::Global<Log4jInjectionConfig>;
 
-from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink
-where Log4jInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  Log4jInjectionFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "Log4j log entry depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}
@@ -17,7 +17,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
 import RemoteUrlToOpenStreamFlow::PathGraph
 
-private class ActivateModels extends ActiveExperimentalModels {
+deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "openstream-called-on-tainted-url" }
 }
 
@@ -53,11 +53,11 @@ module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
 
 module RemoteUrlToOpenStreamFlow = TaintTracking::Global<RemoteUrlToOpenStreamFlowConfig>;
 
-from
-  RemoteUrlToOpenStreamFlow::PathNode source, RemoteUrlToOpenStreamFlow::PathNode sink,
-  MethodCall call
-where
+deprecated query predicate problems(
+  MethodCall call, RemoteUrlToOpenStreamFlow::PathNode source,
+  RemoteUrlToOpenStreamFlow::PathNode sink, string message
+) {
   sink.getNode().asExpr() = call.getQualifier() and
-  RemoteUrlToOpenStreamFlow::flowPath(source, sink)
-select call, source, sink,
-  "URL on which openStream is called may have been constructed from remote source."
+  RemoteUrlToOpenStreamFlow::flowPath(source, sink) and
+  message = "URL on which openStream is called may have been constructed from remote source."
+}
@@ -17,12 +17,12 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.TaintedPathQuery
-import JFinalController
+deprecated import JFinalController
 import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.security.Sanitizers
 import InjectFilePathFlow::PathGraph
 
-private class ActivateModels extends ActiveExperimentalModels {
+deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "file-path-injection" }
 }
 
@@ -66,7 +66,13 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
 
 module InjectFilePathFlow = TaintTracking::Global<InjectFilePathConfig>;
 
-from InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink
-where InjectFilePathFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "External control of file name or path due to $@.",
-  source.getNode(), "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  InjectFilePathFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "External control of file name or path due to $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}
@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 private import semmle.code.java.dataflow.FlowSources
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+deprecated module;`
	`2`	`+`
`1`	`3`	`import java`
`2`	`4`
`3`	`5`	/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */